Cisco Systems PI21AG, CB21AG manual How PEAP-GTC Works, 3-22

Page 76
How PEAP-GTC Works

Chapter 3 Configuring EAP Types

How PEAP-GTC Works

apparent. These weaknesses include a lack of protection of user identity, notification messages, or the EAP negotiation; no standardized mechanism for key exchange; no built-in support for fragmentation and reassembly; no support for acknowledged success or failure indicators; and a lack of support for fast reconnect.

Protected Extensible Authentication Protocol (PEAP) addresses these weaknesses by wrapping the EAP protocol within a Transport Layer Security (TLS) channel. Any EAP method running within PEAP is provided with the following:

Identity protection—The identity exchange is encrypted, and client certificates are provided after negotiation of the TLS channel.

Header protection—Because the EAP method conversation is conducted within a TLS channel, the EAP header is protected against modification.

Protected negotiation—Within PEAP, the EAP conversation is authenticated; integrity and replay are protected on a per-packet basis; and the EAP method negotiation that occurs within PEAP is protected, as are error messages sent within the TLS channel.

Support for key exchange—To provide keying material for a wide range of link-layer ciphersuites, EAP methods should provide a key hierarchy that generates authentication and encryption keys, as well as initialization vectors. By relying on the TLS key derivation method, PEAP provides the required keying material for any EAP method running within it.

Packet fragmentation and reassembly—Because EAP does not include support for fragmentation and reassembly, individual EAP methods need to include this capability. By including support for fragmentation and reassembly within PEAP, methods leveraging PEAP do not need to support fragmentation and reassembly on their own.

Acknowledged success or failure indications—By sending success or failure indications within the TLS channel, PEAP provides support for protected termination of the EAP conversation. Acknowledged indications prevent an attacker from carrying out denial-of-service (DOS) attacks by spoofing EAP failure messages or by tricking the EAP peer into accepting a rogue NAS by spoofing an EAP success message.

Fast reconnect—Where EAP is used for authentication in wireless networks, the EAP method should be able to quickly reauthenticate when the client is roaming between access points. PEAP supports fast reconnect by leveraging the TLS session resumption facility. Any EAP method running within PEAP can use fast reconnect.

Dictionary attack resistance—By conducting the EAP conversation within a TLS channel, PEAP protects an EAP method that might be subject to offline dictionary attacks if the EAP conversation had been conducted in the clear.

How PEAP-GTC Works

PEAP-GTC works in two phases.

In phase 1, an authentication server performs TLS authentication to create an encrypted tunnel and to achieve server-side authentication in a manner that is similar to Web server authentication that uses Secure Sockets Layer (SSL). When phase 1 of PEAP is successfully completed, all data is encrypted, including all sensitive user information.

Phase 2 is extensible. The client can authenticate by using the GTC method within the TLS tunnel.

 

 

 

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista

 

 

 

 

3-22

 

OL-16534-01

 

 

 

 

Image 76
Contents Software Release Americas HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408Turn the television or radio antenna until the interference stops Network Configurations Using Client Adapters Ad Hoc Wireless LANFCC Safety Compliance Statement PrefaceAdvanced Roaming Setting Two-Phase Tunneled AuthenticationObtaining Client Adapter Software Inserting the CardAccessing LEAP Properties for Configuration Configuring LEAPConfiguring and Starting Logging Finding the Version of the LEAP ModuleCreating Strong Passwords A-9 Antenna Installation WarningEAP Messages A-1 English Translation D-7Channels Acknowledgments and Licensing F-1Chinese Translation English Translationviii OL-16534-01Preface AudiencePurpose Audience, page Purpose, page Organization, page Conventions, pageOrganization ConventionsVaroitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset Related Publications Obtaining Documentation, Obtaining Support, and Security GuidelinesProduct Overview and Installation Network Configurations Using Client Adapters, pageSafety information, page Unpacking the Client Adapter, page Installing the Client Adapter Driver and Software, pageIntroduction to the Client Adapters TerminologyPC-Cardbus cardHardware Components RadioRadio Antenna LEDsAd Hoc Wireless LAN Network Configurations Using Client AdaptersSoftware Components Wireless Infrastructure with Workstations Accessing a Wired LAN Figure 1-1 Ad Hoc Wireless LANFCC Safety Compliance Statement Safety informationSafety Guidelines Unpacking the Client Adapter WarningsPackage Contents System Requirementshttp//support.microsoft.com/kb/932063 http//support.microsoft.com/kb/935222For Infrastructure Devices Site RequirementsFor Client Devices Inserting a PC-Cardbus Card Inserting the Client Adapter1-10 Inserting a PCI Card Changing the BracketInsert the card see the “Inserting the Card” section on page Assemble the antenna see the “Assembling the Antenna” section on pageInserting the Card 1-12Assembling the Antenna 1-13Mounting the Antenna 1-141-15 Step 1 Perform one of the following1-16 Step 8 If the Found New Hardware Wizard window appears, click CancelStep 5 Click Wireless Software Step 7 Click Cisco Aironet Wireless LAN Client AdaptersObtaining Client Adapter Software Step 6 Click Client Adapters and Client SoftwareInstalling the Client Adapter Driver and Software 1-18Figure 1-11 Cisco Aironet Installation Program Window 1-19Hardware Insertion 1-20 Figure 1-13 Cisco Aironet Installation Program-Setup Status Window1-21 Step 8 Click Finish1-22 Configuring Wireless Profiles Overview of Wireless Profiles, pageAccessing Microsoft Vista Network and Sharing Center, page Creating a New Profile and Configuring Basic Settings, pageOverview of Wireless Profiles Accessing Microsoft Vista Network and Sharing CenterCreating a New Profile and Configuring Basic Settings Cisco Aironet 802.11a/b/g Wireless Adapter see Figure Creating a New Profile and Configuring Basic Settings Step 7 In this dialog box, enter information for the wireless network that you want to add.Table 2-1 lists and describes general settings for the profile. Follow the instructions in the table to configure these settings Setting Encryption Types” section on pageWhat to Enter and Encryption Types” section on page Chapter 3, “Configuring EAP Types.” The enterprise network EAPProfile Management General Settings continued Setting Security and Encryption Types WEP Shared Security with Static WEP KeysWPA and WPA2 2-10802.1X with Dynamic WEP Keys 2-11CCKM Fast Secure Roaming Accessing a Profile That Was Created Previously2-12 2-13 Viewing and Changing the Settings of a ProfileFigure 2-7 Network and Sharing Center Window 2-14 Figure 2-8 Wireless Network properties Dialog Box-Connection Tabis available, Choose Control Panel Manage Wireless Networks Settings dialog box. See the “Radio Measurement” section onpage 2-18 and the “Advanced Roaming Setting” section on page in Table 2-1 on page2-16 Figure 2-9 Wireless Network properties Dialog Box-Security Tab2-17 Radio Measurement 2-18Advanced Roaming Setting 2-192-20 Configuring EAP Types Configuring EAP-FAST, page Overview of LEAP, pageHow LEAP Works, page Configuring LEAP, page Configuring PEAP-GTC, pageTwo-Phase Tunneled Authentication Two-Phase Tunneled Authentication, pageProtected Access Credentials, page How EAP-FAST WorksProtected Access Credentials Server Certificate ValidationConfiguring EAP-FAST Accessing EAP-FAST Properties for ConfigurationAccessing EAP-FAST Properties for Configuration, page Configuring EAP-FAST Settings in the Connection Tab, pageConfiguring EAP-FAST Settings in the Connection Tab Default On Default anonymousDefault On Default NoneDefault Enabled Use Protected AccessDefault Off PAC box and the Validate Server Certificate box at the same timeOverview of the User Credentials Tab Usernames and PasswordsClient Certificates 3-10 Configuring EAP-FAST Settings in the User Credentials TabFigure 3-3 User Credentials Tab in EAP-FAST Properties Window Mode with OTP” section on page information about OTP, see the “Understanding PIN Mode and Token3-11 Understanding PIN Mode and Token Mode with OTP 3-12Figure 3-4 New PIN Prompt Window Figure 3-5 Next Token Prompt WindowConfiguring EAP-FAST Settings in the Authentication Tab 3-13Table 3-3 lists and describes options for authentication 3-14Figure 3-6 Authentication Tab in EAP-FAST Properties Window Default Disabled a certificate on this computer radio button in the User3-15 Select an authentication3-16 Finding the Version of the EAP-FAST ModuleFigure 3-7 About Tab in EAP-FAST Properties Window How LEAP Works Overview of LEAP3-17 Configuring LEAP Accessing LEAP Properties for ConfigurationAccessing LEAP Properties for Configuration, page Configuring LEAP Settings in the Network Credentials Tab, page3-19 Configuring LEAP Settings in the Network Credentials TabFigure 3-8 Wireless Network Properties Window 3-20 SettingsTable 3-4 LEAP Network Credentials Settings LEAP Network CredentialsFinding the Version of the LEAP Module Overview of PEAP-GTC3-21 How PEAP-GTC Works 3-22Configuring PEAP-GTC Accessing PEAP-GTC Properties for ConfigurationAccessing PEAP-GTC Properties for Configuration, page Configuring PEAP-GTC Settings in the Connection Tab, page3-24 Figure 3-10 Wireless Network Properties Window3-25 Configuring PEAP-GTC Settings in the Connection TabFigure 3-11 Connection Tab in PEAP-GTC Properties Window Default anonymous If the Validate server certificate box is checked and the Do notprompt user to authorize new servers or trusted certificate If the Validate server certificate box is checked but the Do notConfiguring PEAP-GTC Settings in the User Credentials Tab 3-27Default Off password optionand Token Mode with OTP” section on page which is the case for the Prompt automatically for username andPEAP-GTC User Credentials Options continued 3-29Figure 3-13 New PIN Prompt Window Understanding PEAP-GTC Authentication Finding the Version of the PEAP-GTC Module3-30 Figure 3-14 Next Token Prompt WindowPerforming Administrative Tasks Using Microsoft Tools to Perform Administrative Tasks, pageThe EAP-FAST XML Schema, page The PEAP-GTC XML Schema, page The LEAP XML Schema, page Logging for EAP Modules, pageUsing Microsoft Tools to Perform Administrative Tasks Overview of Group Policy ObjectsAdding a Group Policy Object Editor Overview of Group Policy Objects, pagea. Go to File Add/Remove Snap-in Creating a EAP Group Policy Object in Windows Vistag. From the Select Group Policy Object dialog box, click Finish Configuring Machine Authentication for EAP-FAST Configuring Machine Authentication for PEAP-GTC Configuring Single Sign-On for EAP-FASTConfiguring Single Sign-On for PEAP-GTC and LEAP The EAP-FAST XML Schema xsdocumentation xselement xschoice xselement name=authenticateWithToken xscomplexType xssequence 4-10 xselement xselement name=sendViaInnerMethod xscomplexType xsall4-11 xscomplexType name=PasswordFromProfile xssimpleContent4-12 4-13 xsannotation xselement xschoice xselement name=enableFastReconnect4-14 4-15 xssimpleType xsrestriction base=xsstring xsenumeration value=exactly4-16 xselement name=anyServerName type=Empty xsannotationThe PEAP-GTC XML Schema 4-174-18 4-19 xscomplexContent xscomplexType xscomplexType name=IdentityPattern4-20 xscomplexType name=TokenSource xschoice4-21 xschoice xssequence xscomplexType4-22 The LEAP XML Schema 4-234-24 attributeFormDefault=unqualified xselement name=eapLeap type=EapLeap4-25 Configuring and Starting Logging Configuring and Starting Logging, pageStep 1 Choose Start All Programs Accessories Step 2 Right-click Command Prompt and select Run as administratorDisabling Logging and Flushing Internal Buffers wevtutil sl Cisco-EAP-FAST/Debug /efalsewevtutil sl Cisco-EAP-PEAP/Debug /efalse wevtutil sl Cisco-EAP-LEAP/Debug /efalseLocating Log Files wevtutil sl Cisco-EAP-FAST/Debug /lfn“pathtoetllogfile”wevtutil sl Cisco-EAP-PEAP/Debug /lfn“pathtoetllogfile” wevtutil sl Cisco-EAP-LEAP/Debug /lfn“pathtoetllogfile”Removing a Client Adapter, page Routine ProceduresUpgrading the Client Adapter Software, page Removing a PC-Cardbus Card Removing a Client AdapterRemoving a PCI Card Upgrading the Client Adapter Software Step 5 Click Update the previous installation Figure 5-3 Cisco Aironet Installation Program-Setup Status Window Step 8 Click Finish Troubleshooting with Cisco Aironet Client Diagnostics, page Troubleshooting and DiagnosticsEnabling Client Reporting, page Troubleshooting with Cisco Aironet Client Diagnostics Figure 6-1 Network and Sharing Center WindowFigure 6-2 Cisco Aironet Client Diagnostics Dialog Box Figure 6-3 Cisco Aironet Client Diagnostics Dialog Box-Choose AdapterFigure 6-5 Cisco Aironet Client Diagnostics Dialog Box-Testing Delay Figure 6-6 Cisco Aironet Client Diagnostics Dialog Box-Test Window Figure 6-7 Aironet Desktop Utility-Stop Running DiagnosticsEnabling Client Reporting EAP-FAST Error Messages and Prompts EAP-FAST Error Messages and Prompts, page A-1PEAP-GTC and LEAP Error Messages and Prompts, page A-6 Creating Strong Passwords, page A-9Appendix A EAP Messages EAP-FAST Error Messages and Prompts Page Recommended Action Enter a username Recommended Action Press OK to continue PEAP-GTC and LEAP Error Messages and Prompts Page Page Characteristics of Strong Passwords Creating Strong PasswordsCharacteristics of Weak Passwords Password Security Basics A-10Radio Specifications, page B-3 Technical SpecificationsA P P E N D I X B Physical Specifications Radio Specifications 5150 to 5250 MHz 5250 to 5350 MHz5470 to 5725 MHz 5725 to 5805 MHzIndoor typical Outdoor typicalPower Specifications Safety and Regulatory Compliance SpecificationsTranslated Safety Warnings Antenna Installation Warning, page C-3A P P E N D I X C Explosive Device Proximity Warning, page C-2Explosive Device Proximity Warning Antenna Installation Warning Warning for Laptop Users Page Page Declarations of Conformity and Regulatory Information A P P E N D I X DDepartment of Communications - Canada, page D-3 Declaration of Conformity for RF Exposure, page D-7FCC Certification Number LDK102050 CB21AG European Community, Switzerland, Norway, Iceland, and Liechtenstein Department of Communications - CanadaCanadian Compliance Statement Page Cisco Aironet CB21AG Wireless LAN Client Adapter Declaration of Conformity StatementCisco Aironet PI21AG Wireless LAN Client Adapter Declaration of Conformity for RF Exposure Japanese TranslationEnglish Translation 03-6434-6500Chinese Translation 2.4- and 5-GHz Client AdaptersEnglish Translation Brazil/Anatel Approval 5-GHz Client AdaptersAIR-CB21AG-W-K9 D-10AIR-PI21AG-W-K9 D-11D-12 A P P E N D I X E Channels, page E-2 Maximum Power Levels and Antenna Gains, page E-4Channels, Power Levels, and Antenna Gains Channels IEEE 802.11aIEEE 802.11b/g Regulatory DomainsMaximum Power Levels and Antenna Gains IEEE 802.11bIEEE 802.11g Maximum Power Levels and Antenna Gains Acknowledgments and Licensing A P P E N D I X FAppendix F Acknowledgments and Licensing Appendix F Acknowledgments and Licensing OL-16534-01Appendix F Acknowledgments and Licensing Abbreviations A P P E N D I X GTable G-1 List of Acronyms continued
Related manuals
Manual 34 pages 15 Kb Manual 286 pages 35.03 Kb Manual 22 pages 28.37 Kb Manual 22 pages 55.14 Kb